CVE-2021-27803

Vulnerability

A use-after-free vulnerability exists in the P2P (Wi-Fi Direct) provision discovery request processing code in p2p/p2p_pd.c of wpa_supplicant versions 1.0 through 2.9 with the CONFIG_P2P build option enabled [1][2][3]. Under a corner case condition, an invalid Provision Discovery Request frame can trigger a state where the oldest peer entry is removed, leaving a freed memory pointer that is subsequently used (read+write) [1][2][3].

Exploitation

An attacker needs to be within radio range of the target device and send a set of specially constructed management frames to reach the corner case in the P2P peer table management [2][3]. No authentication is required; the attacker simply sends crafted Wi-Fi Direct provision discovery requests over the air. The vulnerability is triggered when the invalid frame causes the oldest peer entry to be evicted, leading to use of freed memory [1][2][3].

Impact

Successful exploitation can result in unexpected behavior, including termination of the wpa_supplicant process (denial of service) and potentially arbitrary code execution with the privileges of the wpa_supplicant process [1][2][3]. The scope of compromise depends on the system's configuration and the attacker's ability to control the freed memory contents.

Mitigation

The vulnerability is fixed in wpa_supplicant version 2.10 and later [1][3]. The patch commit "P2P: Fix a corner case in peer addition based on PD Request" is available from the w1.fi security page [3]. Workarounds include disabling P2P at runtime via the control interface command P2P_SET disabled 1 or adding p2p_disabled=1 to the configuration file, or disabling P2P at build time by removing CONFIG_P2P=y [2][3]. No KEV listing has been published at this time.